Moderator note: This is a bit of a followup for the posts that claim that installations of the patch were done yet infection still happened. The fact that 1/4 of the installations appear to have failed for some reason with this person may indicate that organizations should audit the file versions. Apologies for the cross post, but I thought these numbers might give people pause. ---------- Forwarded message ---------- Date: Wed, 13 Aug 2003 11:28:34 -0500 From: Gavin Haslett <gavinat_private> Reply-To: Windows NTBugtraq Mailing List <NTBUGTRAQat_private> To: NTBUGTRAQat_private Subject: MS03-026 Update Problems? I just wanted to relay my experience recently with MS03-026 and see if anyone else has had such a problem; The patch was installed across the board on all ~200 of our servers, and a check of the registry still shows it installed. On a whim, I built myself a query to check the file versions of those files installed with MS03-026. Lo and behold, 53 of our servers (13 Windows 2000, 40 NT4) all show the wrong file versions. A quick controlled "DCOM Hack Attempt" does indeed show that those servers are in fact still vulnerable. Now, on most of these servers we did use a scripted rollout, so I'm not averse to the idea that the rollout may have had a bug... but we've identified 4 of the servers still showing the vulnerability that were installed by-hand. This is not a good thing as it says there's a possibility that Microsoft's installation program itself may be flawed. The moral of the story? Check file sizes and versions after installation of a hotfix! You never know if the update truly succeeded even if the correct registry entries were added. oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER! With a growth rate exceeding 110%, the TICSA security practitioner certification is one of the hottest IT credentials available. And now, for a limited time, you can save 33% off of the TICSA certification exam! To learn more about the TICSA certification, and to register as a TICSA candidate online, just go to http://www.trusecure.com/offer/s0100/ oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Aug 13 2003 - 19:36:18 PDT